- 5
- April
You see the padlock icon in your browser's address bar and assume your website is secure. But is it really? An SSL certificate alone does not guarantee strong security — misconfigured protocols, weak ciphers, or expired certificates can leave your site vulnerable. This guide shows you how to test your website's SSL/TLS configuration using free tools, read the detailed report, and fix common issues to achieve the highest possible grade.
What Is SSL/TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt data transmitted between a web browser and a server. When you see https:// in a URL, the connection is protected by one of these protocols.
SSL vs TLS — What Is the Difference?
SSL is the original protocol, but it has been deprecated since 2015 due to critical vulnerabilities. TLS is the modern successor — TLS 1.2 and TLS 1.3 are the current standards. Despite this, people still commonly use the term "SSL" to refer to both. When we say "SSL certificate" today, we actually mean a certificate used with the TLS protocol.
| Protocol | Version | Status |
|---|---|---|
| SSL 2.0 | 1995 | Dangerous — must not be used |
| SSL 3.0 | 1996 | Dangerous — vulnerable to POODLE |
| TLS 1.0 | 1999 | Deprecated — should be disabled |
| TLS 1.1 | 2006 | Deprecated — should be disabled |
| TLS 1.2 | 2008 | Good — widely supported |
| TLS 1.3 | 2018 | Best — fastest and most secure |
Why Should You Check Your SSL/TLS Configuration?
Simply having an SSL certificate installed is not enough. Here are five reasons why regular SSL testing matters:
- Data Protection — Weak ciphers or outdated protocols can be exploited by attackers to intercept sensitive data such as login credentials, personal information, and financial transactions.
- PDPA and Regulatory Compliance — Thailand's Personal Data Protection Act (PDPA) and international regulations like GDPR require organizations to implement appropriate security measures to protect personal data. A properly configured TLS connection is a fundamental requirement.
- SEO Ranking — Google has used HTTPS as a ranking signal since 2014. Sites with strong SSL configurations may receive a slight boost in search results compared to those with weak or missing encryption.
- User Trust — Modern browsers display warnings for sites with certificate issues. A single "Not Secure" warning can drive visitors away and damage your organization's credibility.
- Certificate Expiration — SSL certificates have a limited validity period (typically 90 days to 1 year). An expired certificate triggers browser warnings and disrupts service. Regular checks help you stay ahead of expiration dates.
Free SSL Testing Tools
Several reputable tools are available to analyze your SSL/TLS configuration at no cost:
| Tool | Type | Best For | URL |
|---|---|---|---|
| Qualys SSL Labs | Web-based | Industry-standard comprehensive test — the gold standard for SSL analysis | ssllabs.com/ssltest |
| SSL Checker (sslshopper.com) | Web-based | Quick certificate validity check — fast and straightforward | sslshopper.com/ssl-checker.html |
| ImmuniWeb SSL Test | Web-based | PCI DSS and HIPAA compliance testing | immuniweb.com/ssl |
| testssl.sh | Command-line | Offline/internal testing — ideal for servers not exposed to the internet | testssl.sh (GitHub) |
In this article, we focus on Qualys SSL Labs because it provides the most thorough analysis and is widely recognized as the industry benchmark.
How to Test with Qualys SSL Labs — 4 Simple Steps
- Open the site — Navigate to
ssllabs.com/ssltestin your browser. - Enter your hostname — Type your domain name (e.g.,
www.grandlinux.com) into the input field. Do not includehttps://. - Wait 1-3 minutes — The tool performs dozens of checks against your server. The analysis typically takes one to three minutes depending on server response time.
- Review your grade — You will see a letter grade (A+ through F) along with a detailed breakdown of four scoring components.
Reading the SSL Labs Report — 4 Scoring Components
The SSL Labs report evaluates your server across four components, each scored from 0 to 100. The final grade is derived from these scores combined with additional checks for known vulnerabilities.
1. Certificate (max 100 points)
This component checks whether your SSL certificate is valid, trusted, and properly configured.
| Check | What It Means |
|---|---|
| Trusted | Issued by a recognized Certificate Authority (CA) like Let's Encrypt, DigiCert, or GlobalSign |
| Not Expired | The certificate is within its validity period — not expired and not yet active |
| Correct Domain | The certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the tested domain |
| Chain Complete | The full certificate chain (root CA + intermediate CA + server certificate) is properly served |
| Key Size | RSA 2048-bit or higher, or ECDSA 256-bit or higher — weak keys reduce the score |
2. Protocol Support (max 100 points)
This evaluates which SSL/TLS protocol versions your server supports. Supporting modern protocols earns a high score, while legacy protocols drag it down significantly.
| Protocol | Impact on Score |
|---|---|
| TLS 1.3 | Best — maximum protocol score, faster handshake, strongest security |
| TLS 1.2 | Good — still considered secure when combined with strong ciphers |
| TLS 1.1 / TLS 1.0 | Deprecated — caps grade at B regardless of other scores |
| SSL 3.0 / SSL 2.0 | Dangerous — immediately caps grade at F |
3. Key Exchange (max 100 points)
This measures the strength of the key exchange mechanism used to establish encrypted connections. Forward Secrecy is the most important factor here.
| Method | Forward Secrecy | Rating |
|---|---|---|
| ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) | Yes | Best — fast and secure |
| DHE (Diffie-Hellman Ephemeral) | Yes | Good — secure but slower; requires 2048-bit+ DH parameters |
| RSA (static key exchange) | No | Outdated — if the private key is compromised, all past sessions can be decrypted |
What is Forward Secrecy? Forward Secrecy (also called Perfect Forward Secrecy or PFS) ensures that each session uses a unique encryption key. Even if your server's private key is stolen in the future, attackers cannot decrypt previously recorded traffic. This is why ECDHE is strongly preferred over static RSA key exchange.
4. Cipher Strength (max 100 points)
This evaluates the encryption algorithms your server offers for securing data in transit.
| Cipher | Key Size | Rating |
|---|---|---|
| AES-256-GCM | 256-bit | Strong — authenticated encryption, industry standard |
| ChaCha20-Poly1305 | 256-bit | Strong — excellent for mobile devices without AES hardware |
| AES-128-GCM | 128-bit | Good — still secure, slightly faster than AES-256 |
| AES-CBC | 128/256-bit | Risky — vulnerable to padding oracle attacks (e.g., BEAST, Lucky13) |
| 3DES | 168-bit (effective 112) | Dangerous — vulnerable to Sweet32 attack, very slow |
| RC4 | Variable | Dangerous — multiple known biases, banned by RFC 7465 |
What Do the Grades Mean?
SSL Labs assigns a letter grade based on the combined scores and the presence or absence of critical issues:
| Grade | Meaning | Typical Configuration |
|---|---|---|
| A+ | Exceptional | TLS 1.2+, strong ciphers, HSTS enabled, no vulnerabilities |
| A | Good | TLS 1.2+, strong ciphers, but no HSTS header |
| B | Fair — needs improvement | TLS 1.0 or 1.1 still enabled, or some weak ciphers present |
| C | Weak | Obsolete ciphers (e.g., RC4), weak DH parameters |
| F | Dangerous — critical issues | SSL 3.0 enabled, known vulnerability present (Heartbleed, POODLE, etc.) |
| T | Trust issue | Certificate is not trusted — self-signed, expired, or domain mismatch |
Known SSL/TLS Vulnerabilities
SSL Labs automatically checks your server for these well-known vulnerabilities. If any are detected, your grade is immediately capped or reduced:
| Vulnerability | Year | What It Exploits | Impact |
|---|---|---|---|
| Heartbleed | 2014 | OpenSSL memory leak (CVE-2014-0160) | Leaks private keys and user data from server memory — Grade F |
| POODLE | 2014 | SSL 3.0 CBC padding | Decrypts secure connections by forcing protocol downgrade — Grade F |
| BEAST | 2011 | TLS 1.0 CBC mode | Can decrypt HTTPS cookies — mitigated in modern browsers but server-side fix recommended |
| FREAK | 2015 | Export-grade RSA cipher suites | Forces weak 512-bit RSA keys — trivially breakable |
| Logjam | 2015 | Export-grade Diffie-Hellman | Downgrades DH key exchange to 512-bit — breakable by nation-state attackers |
| ROBOT | 2017 | RSA PKCS#1 v1.5 padding oracle | Decrypts TLS sessions using RSA key exchange — discovered in 2017 but exploits a flaw from 1998 |
HSTS — The Key to Getting A+
HSTS (HTTP Strict Transport Security) is a response header that tells browsers: "Always connect to this site over HTTPS — never use plain HTTP." Without HSTS, even a server with perfect TLS configuration can only achieve a grade of A, not A+.
Why HSTS matters:
- Prevents SSL stripping attacks — where an attacker intercepts the initial HTTP request before it redirects to HTTPS
- Eliminates the HTTP-to-HTTPS redirect window — the brief moment when data could be intercepted
- Once a browser receives the HSTS header, it automatically upgrades all future requests to HTTPS for the specified duration
Nginx Configuration Example — Enable HSTS:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
The max-age=63072000 sets the policy for 2 years (in seconds). The includeSubDomains directive extends protection to all subdomains, and preload allows your domain to be included in browser preload lists for even stronger protection.
Real Example — Saeree ERP (www.grandlinux.com)
As a provider of enterprise-grade ERP systems, we practice what we preach. Here are the actual SSL Labs results for www.grandlinux.com:
Overall Grade: A+
| Certificate | 100 / 100 |
| Protocol Support | 100 / 100 |
| Key Exchange | 90 / 100 |
| Cipher Strength | 90 / 100 |
This A+ grade means our server supports only TLS 1.2 and TLS 1.3, uses ECDHE for key exchange with Forward Secrecy, offers only strong ciphers (AES-GCM and ChaCha20), and has HSTS enabled. This is the same level of security we configure for all Saeree ERP deployments — because an ERP system handling financial data, procurement records, and employee information demands nothing less.
How to Fix a Low SSL Grade
If your SSL Labs test reveals a grade below A, here are the most common fixes. The examples below use Nginx configuration syntax, but similar settings exist for Apache and other web servers:
| Problem | Fix | Nginx Configuration |
|---|---|---|
| TLS 1.0/1.1 still enabled | Allow only TLS 1.2 and 1.3 | ssl_protocols TLSv1.2 TLSv1.3; |
| Weak ciphers present | Use only strong cipher suites | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; |
| No HSTS header (grade capped at A) | Add HSTS header | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; |
| Server prefers client cipher order | Enforce server cipher preference | ssl_prefer_server_ciphers on; |
| Missing OCSP stapling | Enable OCSP stapling for faster certificate validation | ssl_stapling on; ssl_stapling_verify on; |
| Incomplete certificate chain | Include intermediate certificates | ssl_certificate /path/to/fullchain.pem; |
How Often Should You Check?
SSL security is not a one-time setup. Threats evolve, certificates expire, and server configurations can change unexpectedly. We recommend testing in these situations:
- After any server configuration change — new certificates, web server updates, load balancer changes
- Quarterly (every 3 months) — as a routine security check, even if nothing has changed
- After a security incident — if your organization experiences a breach or discovers a vulnerability
- Before compliance audits — PDPA, ISO 27001, PCI DSS, or internal security reviews
- When a new vulnerability is disclosed — check whether your server is affected (e.g., when Heartbleed was announced, every server needed immediate testing)
Summary — SSL Security Checklist
| # | Action Item | Why It Matters |
|---|---|---|
| 1 | Use TLS 1.2 and TLS 1.3 only | Older protocols have known vulnerabilities that cannot be patched |
| 2 | Enable HSTS with long max-age | Prevents SSL stripping and ensures browsers always use HTTPS |
| 3 | Use ECDHE key exchange for Forward Secrecy | Protects past sessions even if the private key is compromised in the future |
| 4 | Allow only strong ciphers (AES-GCM, ChaCha20) | Weak ciphers like 3DES and RC4 can be broken by modern attackers |
| 5 | Keep certificates valid and chain complete | Expired or misconfigured certificates trigger browser warnings and break trust |
| 6 | Enable OCSP stapling | Speeds up certificate validation and improves connection time |
| 7 | Test regularly with SSL Labs | New vulnerabilities are discovered continuously — regular checks keep you safe |
Security is not a product you buy once — it is a process you maintain continuously. An SSL certificate is just the starting point. The real protection comes from proper configuration, regular testing, and staying ahead of emerging threats.
— Paitoon Butri, Network & Server Security Specialist
For organizations using Saeree ERP, strong SSL/TLS configuration is part of our standard deployment. Every Saeree ERP server is configured with TLS 1.2+, HSTS, Forward Secrecy, and two-factor authentication (2FA) — ensuring that your financial data, procurement records, and employee information are protected by enterprise-grade security from day one.
References
- Qualys SSL Labs — SSL Server Test — ssllabs.com/ssltest
- Mozilla — Server Side TLS Guidelines — wiki.mozilla.org/Security/Server_Side_TLS
- Cloudflare — What is SSL/TLS? — cloudflare.com/learning/ssl/what-is-ssl
- NIST SP 800-52 Rev. 2 — Guidelines for the Selection, Configuration, and Use of TLS Implementations
